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@ Expert system for security Inspection of a digital computer system in a network environment. 

(57) A new security system including a plurality of inspectors 
each of which performs a security check operation in 
connection with a particular class of possible security violation 
conditions. One inspector detects security violation conditions 
reflecting selection of passwords using easlly-guessableforma- 
tives. Another inspector detects security violation conditions 
reflecting ability of a network node to improperly use another 
node over a network. A third inspector determines whether the 
operating system files have satisfactory protection. Finally, a 
fourth inspector determines whether security violation condi- 
tions arise in connection with applications programs. If, during a 
security check operation, an inspector determines that a 
security violation condition exists, it records the condition in a 
common working memory for further reporting or analysis. 
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Description 

EXPERT SYSTEM FOR SECURITY INSEPCTION OF A DIGITAL COMPUTER SYSTEM IN A NETWORK ENVIRONMENT 

CROSS REFERENCE TO RELATED DOCUMENT 



H.S. Teng, "XSAFE: A Prototype Expert System 
for Security Insepction of a VAX/VMS System", M. S. 
Theses, Computer Science Department, Worcester 
Polytechnic institute, Worcester, MA, Dec. 1986, 
incorporated herein by reference. 
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1. Field of the Invention 

The invention relates generally to the field of 15 
computer systems, and more particularly to systems 
for monitoring security within a computer system to 
detect potential security flaws which might enable 
the computer system to be misused. 

20 

2. Description of the Prior Art 

Over the past several years, computers have 
become very important in a number of areas of 
industrial and governmental operations. Originally, 
computers were large and expensive devices, 25 
operating in relative isolation and programmed and 
managed by highly trained personnel. As the cost of 
computer systems decreased, they became directly 
available to, and used by, people who were not 
necessarily highly trained in the operation of compu- so 
ters, but instead performed business and technical 
functions within the organization. Sometimes this 
has been accomplished by having all users within an 
organization connect to a single large mainframe 
computer. Alternatively, systems have been de- 35 
veloped involving multiple tightly coupled computer 
systems or loosely-coupled computer networks to 
achieve similar results. In many cases, computer 
systems have been connected to public networks 
and the public telecommunications system to pro- 40 
vide access by remote users. 

In any case, providing users with direct access to 
computer systems has had several effects. One 
effect has been the requirement that users be able 
to share access to data and programs within the 45 
computer system. Thus, for example, if the computer 
system performs a bookkeeping and accounting 
function for a large organization at a number of sites, 
a number of users at each site may need to access 
the same data bases at that site. In addition, users at 50 
the various sites may need to periodically access 
data at other sites. To enhance the convenience of 
the system to the users, usually the facilities to 
enable the sharing to occur are transparent to the 
user, that is, they do not require the intervention of a 55 
system manager or other highly trained personnel. 

As a second effect, and a direct result of the fact 
that computer systems are being developed which 
are easily and flexibly used, security within the 
computer system is an important consideration in 60 
system design. First, since a number of users have 
almost direct access to the system, it is often 
necessary to ensure that sensitive information which 



may be maintained on the system, such as person- 
nel, payroll, and technical information, is not avail- 
able to others who may misuse the information. 
Closely related to the fact that it is often necessary 
to ensure that users cannot, intentionally or uninten- 
tionally, enter or alter which they are not supposed 
to enter or alter. 

Furthermore, since increasing numbers of users 
are being permitted direct access to the computer 
system, many of the users are not highly trained in 
computer system use, but instead may be trained 
only in the clerical or technical area in which they are 
working. Thus, it is necessary to protect the 
computer from entries by such personnel which may 
adversely effect computer system operation, such 
as entries which may result in alterations to 
operating system programs and data files which may 
prevent the system from operating properly or 
permit them to gain access to information to which 
they should not have access. In addition, it is 
necessary to limit access to such files by persons 
who are knowledgeable in the use of the system, 
who may intentionally alter the system files to permit 
them to access information to which they should not 
have access. 

Security systems for enhancing a computer 
system's security have been designed along two 
paradigms. In one paradigm, the system hardware 
and, primarily, the operating system which controls 
computer resources are designed to minimize the 
likelihood of security breaches. While such systems 
may be effective, they are expensive to develop and 
may not have desirable features which may be 
present on other, less secure, computer systems. In 
addition, often such systems are vulnerable to 
misuse and abuse by insiders who misuse their 
operating privileges. 

In the second paradigm, the security system 
performs an evaluation of the computer system to 
detect flaws and identify them to an operator for 
correction. This paradigm assumes that the com- 
puter system includes security provisions but that 
those provisions may be corrupted to create 
insecure an system. 



SUMMARY OF THE INVENTION 

The invention provides a new and improved 
system for detecting security flaws within a digital 
data processing (computer) system. In particular, 
the new system detects flaws, which may permit the 
corruption of the computer system, which may, in 
turn, permit unauthorized use and misuse of the 
computer system. 

In brief summary, the new security system 
includes a plurality of inspectors each of which 
performs a security check operation in connection 
with a particular class of possible security violation 
conditions. If, during a security check operation, an 
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inspector determines that a security violation condi- 
tion exists, it records the condition in a common 
working memory for further reporting or anatys is. 

BRIEF DESCRIPTION OF THE DRAWINGS 



This invention Is pointed out with particularity rh 
the appended claims. The above and further advant- 
ages of this invention may be better understood by 
referring to the following description taken in 
conjunction with the accompanying drawings, in 
which: 

Fig. 1 is a functional block diagram of the new 
security system; 

Fig. 2 is a detailed functional diagram of a 
portion of the security system depicted in 
Fig. 1 ; 

Figs. 3A through 10B are flow diagrams 
detailing the operations of the security system 
depicted in Figs. 1 and 2. 

DETAILED DESCRIPTION OF AN ILLUSTRATIV E 
EMBODIMENT " 

1. GENERAL DESCRIPTION 

Preliminarily, the invention provides a new security 
system in the form of a program run on a computer 
system which detects security flaws in the computer 
system. The computer system may include a single 
processor or a plurality of processors which are 
tightly coupled or loosely coupled over a network, 
with each processor in a multiple processor com- 
puter system being at a node. Each node may also 
include conventional peripheral equipment, includ- 
ing mass storage units, printers, video display 
terminals, telecommunications interfaces, and so 
forth, in addition to interfaces which allow it to 
communicate the other nodes in the computer 
system. Typically, if the new security system is used 
in a computer system having a plurality of nodes, it 
may be run by an operator at one node, which may 
then enable other nodes to perform operations, as 
described below, to perform security check oper- 
ations to verify security aspects of the node. 

A functional block diagram of the new security 
system is depicted in Fig 1. With reference to Fig. 1, 
the security system includes a controller 10 which 
enables a plurality of security inspectors 11 through 
14, as detailed below, to perform security operations 
on various aspects of the computer system in 
response to operator input information which it 
receives from an operator interface 15. The control- 
ler 10 separately enables each of the various security 
inspectors 11 through 14 in response to the input 
information from the operator, and the security 
inspectors 11 through 14 operate independently of 
each other in performing their security inspection 
operations as described beiow. 

In response to enablement from the controller 10 
each security inspector 11 through 14, in performing 
its operations, obtains information regarding the 
computer system from a common working memory 
16 and deposits security information representing 
the results of its security analysis in the common 



working memory 16. Following a security operation 
by one or more of the security inspectors 1 1 through 
14, the controller 10 may enable a security analyzer 
17 to analyze the security information in the common 
- 5 working memory 16. The security analyzer 17 
couples the results of its analysis to the controller 10 
for transmission to the operator interface 15 for 
presentation to the operator. In performing its 
security analysis, the security analyzer 17 may use 
10 the results of operations by several of the security 
inspectors 11 through 14 as deposited in the 
common working memory 16. Thus, for example, the 
security analyzer 17 may inter-relate the results of 
security operations obtained by the various security 
15 inspectors 11 through 14. 

As described above, the security system includes 
four security inspectors 11 through 14. Each security 
inspector 1 1 through 14 performs a different security 
operation in connection with the computer system. 
20 Passwork inspector 1 1 detects whether a user who 
is authorized to use the computer system has 
selected a password which can be easily guessed. 
As is conventional, when a user wishes to begin 
using the computer system, he "logs on", that is, he 
25 enters an identification code which identifies him to 
the computer system. This log on procedure then 
enables the computer system to permit the user to 
run the programs and use the data files which are 
permitted under the account As part of the user's 
30 identification, he provides the system with a pass- 
word, preferably known only to him, which verifies 
the identification. The password is usually selected 
by the user, but often the user selects a password 
can be easily guessed, because it is a name 
35 associated with the user or his birthday, telephone 
number, and so forth. Another person who is not 
authorized to use the account may easily guess the 
password, and thereby gain access to the programs 
and data files for malicious purposes. The password 
40 Inspector 1 1 detects whether a password has been 
selected which can be easily guessed so that the 
operator may require selection of a new password. 

A network default account inspector 12 is used if 
the computer system includes a plurality of nodes 
45 interconnected by way of, for example, a network. In 
one specific computer system, the operating system 
at each node provides a default account which is 
used by a process, termed an object, to activate the 
network at that node. The network default account 
SO inspector 1 2 determines Whether a user can execute 
a program or enable a remote node to execute an 
applications program while in the default account. 

In addition, in one specific computer system, the 
programs which a user may execute are assigned 
55 one or several of a plurality of privilege levels, to 
control the ability of the user to read, process, and 
write files in the system. The network default 
account inspector 12 verifies the privilege level of 
the network default account. 
60 In one specific computer system, as is conven- 
tional, the operating system maintains a plurality of 
system files that store data which is used in 
processing of the operating system. Each file 
includes a protection code vector which identifies 
65 the read, write, execute, and delete privileges of 
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different categories of privilege levels. A system file 
protection inspector 13 performs a series of probe 
operations in connection with the protection code 
vector of each system file to find those which have 
improper protection levels. 

As is conventional, users enable the computer 
system to process applications programs to obtain 
processed data therefrom, in many cases, the 
applications programs use data from data files which 
may be shared with a number of other applications 
and users, and it is desirable to provide control over, 
most notably, writing data to such shared data files, 
and also deletion of data as well as an entire file. In 
addition, if the computer system comprises a 
plurality of nodes interconnected by a network, a 
user may, by means of a user application, enable a 
node on the network to eavesdrop on data trans- 
mission over the network, which may enable the user 
to obtain access to data which he is not authorized 
to access. 

The security system includes a user application 
inspection 14 to minimize jeopardy to security in 
connection with user applications. The user applica- 
tion inspector 14 includes a plurality of components, 
as depicted in Fig. 2, which perform, under control of 
a user inspector controller 20, diverse inspection 
operations in connection with user applications, 
including a captive account sub-Inspector 21, a 
network communications sub-inspector 22, an appli- 
cation program sub-inspector 23, and a log-in 
procedure sub-inspector 24. All of the sub-inspec- 
tors 21 through 24 are directly connected to the 
common working memory 16 and can obtain 
information therefrom and deposit information 
therein relating to the results of the security 
inspections. 

The application program sub-inspector 23, In turn, 
controls two specialist inspectors, namely an execu- 
table image specialist 25 and a program code 
specialist 26 which perform security inspections 
under control of the application program sub-in- 
spector 23. The specialists 25 and 26 are also 
directly connected to the common working memory 
16 and can obtain information therefrom and deposit 
information therein relating to the results of the 
security inspections. 

In one specific computer system, the operating 
system maintains a user authorization file to identify, 
for each applications program, the authorized users 
of the applications program and the account from 
which the user may access the applications pro- 
gram. The captive account sub-inspector 21 in- 
spects the information in the user authorization file 
associated with the applications program to ensure 
that the account complies with the requirements for 
the applications. 

The network communication sub-inspector 22 
identifies possible security problems with a user 
application which performs communications over a 
network. For example, the network communication 
sub-inspector 22 determines whether the user 
application enables information to be transferred 
over the network in plain text, that is, unencrypted, 
which may be intercepted by others monitoring the 
network for potentially malicious purposes. In addi- 



tion, the network communication sub-inspector 22 
determines whether a user application transfers 
passwords over the network, which may be inter- 
cepted by others and used maliciously. 
5 The log-in procedure sub-inspector 24 deter- 
mines whether the user may, during log-in, escape 
to the operating system level, which is used by an 
operator to control the computer system. During 
log-in, the user essentially enables the operating 
10 system to execute a series of commands in a log-in 
file. If the commands In the log-in file permit the user 
to escape to the operating system, he may be able to 
modify files used by the operating system to control 
the system, which is undesirable. The presence or 
15 absence in the file of pre-determined commands 
governs whether the user may escape to the 
operating system level. The log-in procedure sub-in- 
spector 24 parses a log-in file to determine whether 
commands are present in the file which would 
20 enable the user to escape to the operating level, or 
whether other commands are absent which would 
prevent the user from escaping to the operating 
system level. 
The application program sub-inspector 23, 
25 through the executable image specialist 25 and 
program code specialist 26, inspects applications 
programs to determine whether they permit the user 
to perform operations which may otherwise abuse 
his privileges in operations within the computer 
30 system. The executable image specialist 25 and 
program code specialist 26 inspect applications 
programs at different levels. In particular, the 
executable image specialist 25 examines the execu- 
table image of an applications program to determine 
35 whether it can perform certain operations which 
would permit a user running the applications 
program to violate the security of the computer 
system, that is, to access, modify, delete, and/or 
execute operating system files or other sensitive 
40 files. The program code specialist 26 performs a 
similar function in connection with the source code 
of the applications program. 

2. SPECIFIC DESCRIPTION 

45 

A. Password Inspector 11 

With this background, the sequence of operations 
performed by the respective security inspectors 11 
through 14 will be described in detail in connection 

50 with Figs. 3 through 10B. The password inspector 1 1 
will be described in connection with Fig. 3, which 
depicts the operations performed by the password 
inspector 11 in performing its security check 
operation. As noted above, the password inspector 

55 11 inspects passwords to determine if any of them 
are constructed of formatives which can be easily 
guessed as being, for example, associated with the 
person selecting the password, and thus is undesir- 
able to use in a password. The password inspector 

60 1 1 is constructed as a procedural system which, for 
each password to be checked, sequences through 
the undesirable formatives to determine if the 
password being checked includes such a formative. 
If the password inspector 1 1 detects the presence of 

65 an undesirable formative in a password, it makes an 
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entry in the common working memory 16 and notifies 
an operator. 

With reference to Fig. 3, when the password 
inspector 11 begins operating, it identifies the 
accounts whose passwords are to be checked (step 
50). One specific embodiment of the password 
inspector 1 1 performs security check operations in 
connection with passwords for accounts specifically 
used to gain access to and control the operating 
system. In one specific computer system, those 
accounts are identified as a SYSTEM account, a 
FIELD account, and an SYSTEST system test 
account. The SYSTEM account is used by the 
system operator to install programs in the computer 
system and to maintain its daily operations in the 
FIELD and SYSTEST system test accounts are 
provided for use by maintenance personnel to 
maintain the computer system. In addition, the 
computer system may include several special pur- 
pose accounts for which it is desirable to restrict 
access, including an account used for backup of 
data stored in mass storage, an account used for 
emergency shutdown of the computer system, and 
an account used for programs for controlling 
message routing in the network. 

After password inspector 11 has identified the 
accounts whose password protection is to be tested 
(step 50), the password inspector 11 identifies the 
node on which the accounts whose passwords are 
to be tested are located (step 51). If the computer 
system is a network of a plurality of nodes, each 
typically will have a network identifier or name, which 
is provided in step 51. In one embodiment, the 
operator provides a node name or identifier in step 
51. 

Following step 51, the password inspector 11 
obtains the identification of formatives which should 
not be used as part of a password (step 52). A 
number of such formatives may be identified, as 
determined, in part, by the experience of the 
operator and others in determining formatives which 
may be easily guessed. Such formatives may 
include, for example, the node name or identifica- 
tion, the account name, the name of the user or a 
relative, the location of the user's home or business, 
the name or other identification of the company or 
work group, and identifying numbers such as a 
telephone number, Social Security number, or 
badge number. This information may be maintained 
in the computer system or it may be provided by the 
operator. 

After the password inspector 1 1 has obtained the 
undesirable password formatives (step 52), it se- 
quences to step 53 in which it generates a test 
password using one or more of the undesirable 
formatives (step 53) and attempts to open the 
account on the identified node using the generated 
password (step 54). If the computer system is a 
networked system, in the operation in step 54, the 
password inspector 11 transmits, in a conventional 
manner, a request over the network to the node 
which would enable the identified node to open the 
account and make it available to the requesting 
node. If the computer system is a single system, that 
is not a networked system, the password inspector 



11 transmits a request to the operating system to 
open the account. If the account is opened in 
response to the request, the password inspector 11 
receives an affirmative response, and otherwise a 

5 negative response. 

Following step 54, the password inspector 11 
sequences to step 55 to test the response to the 
request to open the account using the password 
that was generated in step 53. If the password 

10 inspector 11 determines that the response to the 
request is affirmative, it stores the account and 
password, and the node name if the computer 
system is networked, in the common working 
memory 16 (step 56). 

15 Following step 56, or following step 55 if the 
response to the request is negative, the password 
inspector 1 1 sequences to step 57 to determine if ail 
of the undesirable formatives have been used, in all 
likely combinations, in the test operation If not the 
20 password inspector 11 returns to step 53 to 
generate another password using undesirable for- 
matives and again attempt to open the account. 
After all undesirable formatives have been used in 
likely combinations, the password inspector 11 
25 sequences to step 58 to exit 

B. Network Default Account Inspector 12 

The network default account inspector 12 will be 
described in connection with Figs. 4A through 4C, 

30 which detail the sequence of operations performed 
by the network default account inspector 12. 
Preliminarily, the network default account inspector 
12, which is on one network node, performs a 
security inspection of the network default account 

35 on another node to address several security con- 
cerns relating to one specific networked computer 
system. 

In one specific computer system including a 
plurality of nodes interconnected by a network, the 

40 network default account contains programs and files 
used to support communications over the network. 
The network default account permits access to the 
node from other nodes without requiring them to 
provide an account name and password. Accord- 

45 ingly, it is undesirable to provide the network default 
account to have privilege sufficient to permit it to 
access operating system files. The network default 
account Inspector 12 inspects the network default 
account by checking the privileges accorded to the 

50 account. 

A related problem may arise if a user on one node 
of the network can enable a remote node to execute 
a batch, that is, non-interactive, program, to be 
executed under the remote node's network default 

55 account. The network default account inspector 12 
determines whether the remote node will execute a 
batch program under its network default account. 

Another related problem may arise if the network 
default account has privileges normally reserved to a 

60 system operator or the operating system itself to, for 
example, establish or modify paging maps if the 
system uses virtual addresses, change device 
names, and so forth. If the network default account 
has privileges sufficient to enable users to access, 

65 execute, or modify operating system files and 
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programs, then a user on another node in the 
network may, by transmitting commands to the node 
under the network default account, perform such 
operations. Thus, it is desirable to ensure that the 
network default account does not have sufficient 
privilege to enable a user operating thereunder to 
direct access, execute, or modify the operating 
system files. 

In addition, each node In the network has several 
entities, or objects, which provide network services. 
One object, a TASK object, allows "task to task" 
communications between two programs. This com- 
munication may occur even if they are running under 
different operating systems and if they use different 
programming languages A problem arises if the 
TASK object is part of, and can be run in, the 
network default account. If the TASK object can be 
run in the network default account, a user can run 
any program, including interactive programs, on a 
remote system without having to be in an authorized 
account on his system. 

Another object is a ROUTING object which is 
used to facilitate message routing through the 
network if, for example, the network is divided into a 
plurality of local networks. In one specific embodi- 
ment, the network may comprise a plurality of local 
networks interconnected by network interfaces, 
which also comprise nodes on the network. When a 
node on one local network requires communications 
with a node on another local network, the communi- 
cations is performed through one or more inter- 
faces, and depending on the network topology, 
intermediate local networks. The ROUTING object 
permits the user to specify a path through nodes, 
generally the network interfaces, to effect communi- 
cations over the network, and if the ROUTING object 
can be run on the intermediate nodes under their 
network default account, the identity of the user and 
originating node are disguised. 

Finally, in one networked computer system, 
typically the nodes include a mass storage device 
such as a disk unit for storing files. In that computer 
system, it is possible for a user on one node to 
retrieve the contents of all, or at least portions, of 
files on a remote node which have been deleted by 
making requests under the remote node's network 
default account in conjunction with the TASK object. 

With this background, the operations of the 
network default account inspector 12 will be de- 
scribed in connection with Figs. 4A and 4C. With 
reference to Fig1 4A, the network default account 
inspector 12 first identifies the node on the network 
on which it is to perform a security inspection (step 
70), which will then become a remote node for 
communications from the node being used by the 
operator to control the security inspection. The 
identification of the remote node may be provided by 
an operator, or, alternatively, if the network default 
account inspector 12 periodically inspects all of the 
nodes, the computer system may maintain a list of 
nodes and the identification of a node may be 
provided by the list. 

After the remote node has been identified in step 
70, the network default account inspector 12, in a 
conventional manner, generates and transmits to 



the node a request that it open its network default 
account (step 71). In one specific networked 
computer system, a user on one node may enable 
the opening of an account on a remote node by 
5 enabling his node to generate a command therefor 
along with a password which are transmitted over 
the network in a conventional manner. 

After the network default account of the remote 
node has been opened, the network default account 

10 inspector 12 generates a command which would 
enable the remote node to accept and run a remote 
batch job, and transmits the command over the 
network to the remote node (step 72). It will be 
appreciated that, since the open account is the 

15 network default account, if the remote node at this 
point accepts the command, it is possible to run a 
batch job under the network default account, which, 
as noted above, is undesirable. Accordingly, if the 
remote node transmits, and the network default 

20 account inspector 12 receives, an affirmative re- 
sponse to the command (step 73), the network 
default account inspector 12 makes an appropriate 
entry in the common working memory 16 identifying 
the remote node and the security violation (step 74). 

25 Following step 74, or step 73 if the network default 
account inspector 12 did not receive an affirmative 
response to the command requesting the remote 
node to accept and run a remote batch job, the 
network default account inspector 12 sequences to 

30 step 75. In step 75, the network default account 
inspector 12 generates and transmits a request to 
the remote node to determine whether the TASK 
object exists and is enabled. In one specific 
embodiment, the network default account inspector 

35 1 2 is able to determine whether an object exists and 
is enabled by transmitting a command therefor over 
the network, tf an affirmative response is received, 
since the communications are under the network 
default account on the remote node, then the TASK 

40 object will exist and be enabled under the network 
default account, which, as described above, is 
undesirable. 

After the network default account inspector 12 
transmits the command in step 75 to determine 

45 whether the TASK object exists and is enabled in the 
network default account, the network default ac- 
count inspector 12 waits for a response from the 
remote node (step 76). If the network default 
account inspector 12 receives an affirmative re- 

50 sponse in step 76 1 a security violation is indicated 
and it sequences to step 77 to make an appropriate 
entry in the common working memory 16. Following 
step 77, or step 76 if a negative response is received, 
the network default account inspector 12 sequences 

55 to step 80. 

In step 80, the network default account inspector 
12 generates and transmits to the remote node a 
command to enable it to determine whether the 
ROUTING object exists. As described above in 

60 connection with the TASK object, since the com- 
munications with the remote node are in the network 
default account, an affirmative response indicates 
that the ROUTING object exists in the network 
default account, which, as described above, is 

65 undesirable. 
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After the network default account inspector 12 
transmits the command in step 80 to determine 
whether the ROUTING object exists in the network 
default account, the network default account inspec- 
tor 12 waits for a response from the remote node 
(step 81). If the network default account inspector 12 
receives an affirmative response in step 81, a 
security vioiatin is indicated and it sequences to step 
82 to make an appropriate entry in the common 
working memory 16, Following step 82, or step 81 if a 
negative response is received in that step, the 
network default account inspector 12 sequences to 
step 83. 

Following step 82, the network default account 
inspector 12 makes several additional security check 
operations if an affirmative response was received in 
step 76 indicating that the TASK object exists and is 
enabled and accessible in the network default 
account. If an affirmative response was received in 
step 76, the network default account inspector 12 
generates and transmits to the remote node a 
command which causes the remote node to return 
user identification codes associated with the net- 
work default account (step 83). The user identifica- 
tion codes identify users authorized to use the 
network default account. On receipt of a response 
message from the remote node containing the user 
identification codes, the network default account 
inspector 12 determines whether the codes are 
satisfactory (step 84) and if not makes an appropri- 
ate entry, indicating a security violation, in the 
common working memory 16 (step 85). 

Following step 85, or step 84 if the retrieved user 
identification codes are satisfactory, and if an 
affirmative response was received in step 76, the 
network default account inspector 12 sequences to 
step 86, in which it generates and transmits to the 
remote node over the network a command message 
which enables the remote node to return identifica- 
tions of the privileges possessed by the network 
default account. On receipt of a response message 
from the remote node containing codes identifying 
the network default account's privileges, the net- 
work default account inspector 12 determines 
whether any of the privileges are undesirable, that is, 
sufficient to allow a user under the network default 
account to access, execute or modify any of the 
operating system files (step 87). If so, the network 
default account inspector 12 makes an appropriate 
entry indicating the security violation in the common 
working memory 16 (step 90). 

Following step 90, or step 87 if the privileges 
associated with the remote node's network default 
account are satisfactory, the network default ac- 
count inspector 12 sequences to step 91. In step 91, 
if an affirmative response was received in step 76, 
indicating that the TASK object exists and is enabled 
in the network default account, the network default 
account Inspector 12 generates and transmits to the 
remote node over the network a command which 
enables the remote node to attempt to retrieve data 
from previously erased portions of its mass storage 
system and return the retrieved data In the form of a 
message over the network to the network default 
account inspector 12. If the network default account 



inspector 12 receives data in response to the 
command (step 92) it makes appropriate entry 
indicating the security violation in the common 
working memory 16 (step 93). Following step 93, or 
5 step 92 if no data was returned by the remote node, 
the network default account inspector 12 exits (step 
94), having completed its security check operations. 

C. System File Protection Inspector 13 
10 The system file protection inspector 13 will be 
described in connection with Fig. 5. Preliminarily, file 
protection in one specific embodiment of a com- 
puter system permits the operator or user establish- 
ing the file to select access rights to the file for 
15 reading, writing, execution if the file contains a 
program, and deletion, with access being limited by 
whether the user wishing to access the file is (i) a 
system operator or operating system program being 
processed under the system operator, (ii) the owner 

20 or user that established the file, (iii) a group 
designation for the owner, so that others in a group 
associated with the owner may have the same 
access rights as the owner, and/or the world, or 
anyone who may use the system. 

25 To identify the access rights of a file, each file 
contains an access rights vector of sixteen bits 
divided into four nibbles of four bits each. Each four 
, bit nibble is associated with a user designation, and 
each bit in the nibble is associated with one of the 

30 four ways in which a file may be accessed, that is, 
one bit is associated with each of whether the file 
may be read, written, executed and deleted. Thus, if 
a file may be read, but not written, executed or 
deleted by the operating system, in the file's access 

35 rights vector in the nibble associated with the 
operating system the bit associated with reading the 
file is set and the bits associated with writing, 
executing and deleting the file are reset. 
In that computer system, it is undesirable to 

40 permit at least some operating system files to be 
accessible by the "world", that is, by any user of the 
computer system. In one embodiment, these files 
are related, for example, to managing the operating 
system, providing operating system functions, main- 

45 taining maintenance and diagnostic functions, and 
so forth. And undesirable conditions exists if any of 
these files can be accessed by any user of the 
computer system. Accordingly, the system file 
protection inspector 13 probes the files to retrieve 

50 their access rights vectors and determines whether 
their access rights designations are improper. 

Specifically, with reference to Fig. 5, if the 
computer system comprises a plurality of nodes 
interconnected by a network, the system file 

55 protection inspector 13 first identifies the node on 
which it is to perform a security inspection (step 
100). As with the network default account inspector 
12, the node may be identified by an operator, or 
alternatively by a node list if the nodes are 

60 periodically inspected automatically. After a node 
has been identified, the system file protection 
inspector 13 identifies the files on the node to be 
inspected (step 101). The identification of the files to 
be inspected may also be provided by an operator, 

65 by the remote node to be inspected, or if the files on 
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each node is uniform may be included in or form part 
of the system file protection inspector 13. 

After the system file protection inspector 13 has 
obtained the identification of the remote node and 
the files on which it is to perform a security 
inspection, it sequences to step 102. In step 102, the 
system file protection inspector 13 performs a probe 
operation, that is, it generates a message and 
transmits it to the remote node, the message 
including a command to enable the remote node to 
return the access rights vector of a file identified in 
the message. In response to the message, the 
remote node obtains the access rights vector of the 
identified file, generates a response message includ- 
ing the access rights vector and transmits the 
response message to the system file protection 
inspector 13. 

After the system file protection inspector 13 has 
received the access rights vector of the file from the 
remote node, it determines whether the access 
rights associated with the file are satisfactory or 
improper (step 103). Specifically, the system file 
protection inspector 13 checks the nibble of the 
access rights vector associated with world accessi- 
bility, and if any of the bits In that nibble are set, 
determines that the file's access privilege level is 
improper. If, in step 103, the system fiie protection 
inspector 13 determines that the file's access 
privilege level is improper, it makes an appropriate 
entry in the common working memory 16 identifying 
the file and indicating the security violation (step 
104). The system file protection inspector 13 then 
determines whether all of the files on the remote 
node have been probed, and if not, returns to step 
102 to probe the next file. If all of the files on the 
remote node have been probed, the system file 
protection inspector 13 exits (step 106). 

The system file protection inspector 13 as de- 
scribed above in connection with Fig. 5 operates in a 
networked computer system. It will be appreciated 
however, that the system file protection inspector 13 
can also advantageously operate in a non-networked 
computer system. In that case, the system file 
protection inspector 13, instead of obtaining the 
access rights vector of the files by exchanging 
messages with a remote node, may obtain it directly 
from the single computer system and determine 
whether the vector indicates a security violation. 

D. User Application Inspector 14 

It will be appreciated that the previously-de- 
scribed security inspectors, namely password in- 
spector 11, network default account inspector 12, 
and system file protection inspector 13, were all 
procedure-based, that is, the inspectors performed 
security inspections by iteratively checking for the 
existence of predetermined conditions indicative of 
security violations. In the user application inspector 
14, on the other hand, several of the sub-inspectors, 
namely the captive account sub-inspector 21, net- 
work communication sub-inspector 22 and the 
specialists 25 and 26 in the application program 
sub-inspector 23 are rule-based, that is, the sub-in- 
spectors, when enabled by the user inspector 
controller 20, determine whether a condition identi- 



fied by a rule is violated and identifies the condition 
in the common working memory 16, whereas the 
log-In procedure sub-inspector 24 is procedure- 
based. The various sub-inspectors 21 through 24, 
5 including specialists 25 and 26, will be described in 
connection with Figs. 6 through 10B. 

(i) Captive Account Sub-Inspector 21 
The captive account sub-inspector 21 will be 
10 described in connection with Fig. 6. Preliminarily, 
one specific computer system provides one type of 
account identified as a captive account, which, in 
turn, provides a restricted environment for running 
applications programs to minimize the effect of 
15 errors in the execution of applications programs on 
the rest of the computer system and, in turn, to 
minimize the effect of errors in other accounts to 
effect execution of the applications program. Thus, a 
captive account may, for example, be provided to 

20 allow users of limited skills to perform routine tasks 
while guarding against command entry errors. A 
captive account may also be provided for a batch 
operation which is to be run with little supervision, 
since an error in operation may otherwise adversely 

25 effect other operations of the computer system. In 
addition, a captive account may also be provided for 
programs, such as accounting or payroll programs, 
which must be protected from intrusion from other 
users in the computer system. The limitations of 

30 access to the computer system is accomplished by 
a specialized log-in command procedure used to 
obtain access to the captive account. 

The restrictions of access to the captive account 
may be accomplished by providing restrictions in 

35 connection with log-in to the account and restric- 
tions in connection with functions which may be 
performed by users in the account. The log-in 
restrictions may, for example, limit of access by 
various types of users to certain selected times. 

40 Thus, for example, a user on a local terminal may be 
able to access the captive account during certain 
hours, a second user on a network terminal may be 
able to access it during other hours and a third user 
may be able to process a batch program in the 

45 account during a third set of hours. The restrictions 
may be contained in the aforesaid user authorization 
file for the captive account. 

Similarly, the functions which the captive account 
can perform are limited by settings of flags in the 

50 user authorization file for the account. Various flags 
in a user authorization file for an account are used to 
identify the account as a captive account and to 
prohibit use of a sequence of commands or control 
sequences which permit escape from the log-in 

55 operation or an applications program to the opera- 
ting system. 

Other flags may be used to control such things as 
the delivery of certain system information or mail to 
the user and to control use of passwords. In 

60 addition, other flags may be used to control program 
execution by the applications programs under the 
account, in particular, the generation by applications 
programs of sub-processes. 
As described above, the captive account sub-in- 

65 spector 21 is rule-based, and Fig. 6 depicts 
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structures of two rules. Part 6-1 of Fig. 6 depicts a 
rule in which, during its application, satisfaction of 
the rule's premises is indicative of a security 
violation, which is noted in the common working 
memory 16. Part 6-2, on the other hand, depicts a 
rule in which, satisfaction of the rule's premises is 
indicative of evidence of a potential security viol- 
ation, which is also noted in the common working 
memory 1 6. In response to the indication of evidence 
in response to a rule application, the captive account 
sub-inspector 21, or alternatively the user inspector 
controller 20 after processing by the captive account 
sub-inspector 21, may perform further tests to 
determine whether a security violation is indicated. 
Alternatively, the captive account sub-inspector 21 
may determine that a security violation exists, and 
record that in the common working memory 16, if it 
finds that the premises are satisfied of a predeter- 
mined number of rules which indicate evidence of 
potential security violations. 

With reference to Fig. 6, and particularly to Part 
6-1 of Fig. 6, a rule is depicted which determines that 
a security violation exists if the application program 
in an account requires a captive account and a 
captive account flag in the entry for the account in 
the user authorization file is not set. The reason for 
the security violation, as shown In Part 6-1, is that, if 
the captive account flag is not set, a user may 
access the supervisor level of the operating system 
by known keystroke control sequences. 

During a security check operation, before the 
captive account sub-inspector 21 applies any rules, 
the operator first identifies to the captive account 
sub-inspector 21 an application program on which it 
is to perform a security inspection. In addition, the 
captive account sub-inspector 21 obtains from an 
operator an indication as to whether an application 
program requires, for example, a captive account In 
response to a negative response, the rule depicted 
in Fig. 6-1 is not applied, since one of the premises, 
that is, the premise that the application requires a 
captive account, is not satisfied. On the other hand, 
In response to an affirmative response from the 
operator indicating that the application require a 
captive account, the captive account sub-inspector 
21 determines whether the captive account flag is 
set in the application program's account. If the 
captive account flag is set, then the captive account 
sub-inspector 21 sequences to the next rule, but if 
the captive account flag is not set the captive 
account sub-inspector 21 stores a security violation 
indication in the common working memory 16 before 
sequencing to the next rule. 

The captive account sub-inspector 21 performs 
similar operations in connection with the rule 
depicted in Part 6-2. In particular, the captive 
account sub-inspector 21 obtains from an operator 
an indication as to whether batch use of the 
application is to be disallowed. In response to a 
negative response, the rule depicted In Fig. 6-1 is not 
applied, since one of the premises, that is, the 
premise that the application disallows batch jobs, is 
not satisfied. On the other hand, in response to an 
affirmative response from the operator indicating 
that batch jobs are to be disallowed, the captive 



account sub-inspector 21 determines the condition 
of a batch flag in the application program's account. 
If the batch flag indicates that batch jobs are 
disallowed, the captive account sub inspector 21 

5 sequences to the next rule, but if the batch flag 
indicates that batch jobs are not disallowed, the 
captive account sub-inspector 21 stores an indica- 
tion of evidence of a potential security violation in the 
common working memory 16 before sequencing to 

10 the next rule, 

It will be appreciated that, although only two rules 
are depicted in Fig. 6, the captive account sub-in- 
spector 21 may include similar rules for other 
restrictions as described above. 

15 

(ii) Network Communication Sub-Inspector 22 

The network communication sub-inspector 22 will 
be described in connection with Fig. 7 As described 
above, the network communication sub-inspector 
20 22 inspects network aspects of an application 
program to Identify two potential security violations, 
namely, whether the applications program transfers! 
that is, transmits or receives, information in plain text 
over a network which has been previously identified 
25 as being sensitive, and also whether the applications 
program transfers passwords or access control 
strings over the network. An access control string is 
a string which includes the user's name and 
password and is used to permit access to programs 
30 and information. 

Two problems may arise if the applications 
program transfers sensitive information, which may 
include, for example, personnel, pay and accounting 
information, over the network in plain text. One 
35 problem is that another node on the network may 
intercept and use the information being transferred 
in plain text. In addition, another node inject 
messages containing false information which is then 
used by the applications program. Encryption tech- 
40 niques may be used to encrypt information so that it 
is not transferred in plain text. Similarly, if the 
applications program transfers access control 
strings over the network, another node may inter- 
cept them and access the programs and information 
45 protected thereby. 

With this background, the network communica- 
tion sub-inspector 22 will be described in connec- 
tion with Fig. 7. Like the captive account sub-inspec- 
tor 21 , the network communication sub-inspector 22 
50 is rule-based, and Fig. 7 depicts, in two Parts 7-1 and 
7-2, structures of two rules. The rule depicted in Part 
7-1 of Fig. 7 is applied to determine whether the 
applications program transfers data over the net- 
work in plain text, and the rule depicted in Part 7-2 is 
55 applied to determine whether the applications 
program transfers access control strings or pass- 
words over the network. 

More specifically, when initially starting the net- 
work communication sub-inspector 22 the operator 
60 identifies the applications program to be checked 
and indicates whether the information used by the 
applications program is sensitive. The network 
communication sub-inspector 22 searches through 
the code of the applications program to find code 
65 sequences which perform calls to the operating 
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system to perform transfers over the network When 
such a code sequence Is located, the network 
communication sub-inspector 22 determines from 
the applications program whether the code se- 
quence effects a transfer of information or an access 
control string. 

If the code sequence effects a transfer of 
information, the network communication sub-in- 
spector 22 applies the rule depicted in Part 7-1 of 
Fig. 1. The network communication sub-inspector 22 
further searches through the code of the applica- 
tions program to determine whether the data is 
transferred in plain text. If all of the premises of the 
rules are satisfied, that is, if the code sequence 
effects a transfer of information over the network, if 
the information is sensitive, and if the data is in plain 
text, that is. unencrypted, form, the premises of the 
rules depicted in Part 7-1 are satisfied. As a result, 
the rule concludes that a security violation exists and 
the network communication sub-inspector 22 in- 
serts an indication of the security violation in the 
common working memory 16. 

On the other hand, if the code sequence effects a 
transfer of an access control string, the network 
communication sub-inspector 22 applies the rule 
depicted in Part 7-2 of Fig. 7. Since the sole premise 
of the rule depicted in Part 7-2 requires a finding that 
the code sequence effects a transfer of an access 
control string, the rule concludes that a security 
violation exists and the network communication 
sub-inspector 22 inserts an indication of the security 
violation in the common working memory 16 

(iii) Application Program Sub-Inspector 23 

As described above, the application program 
sub-inspector 23 uses two specialist security in- 
spectors, namely, the executable image specialist 25 
described in connection with Fig. 8 and the program 
code specialist 26 described in connection with 
Fig. 9. The application program sub-inspector 23 
controls and coordinates application of the two 
specialists under control, in turn, of the user 
application inspector controller 20. 

(a) Executable Image Specialist 25 

The executable image specialist 25 will be de- 
scribed in connection with Fig. 8. As described 
above, the executable image specialist 25 examines 
the executable image, that is, the compiled, linked 
and executable applications program, to identify 
functions which could be used in such a way as to 
represent security violation conditions. One com- 
puter system provides a plurality of privilege levels 
arranged in a hierarchy to control access to the 
diverse functions which are provided by the opera- 
ting system. With increasing levels, functions of 
increasingly critical importance to the operation of 
the computer system can be accessed. 

It will be appreciated that functions of an applica- 
tion may be arranged in a hierarchy, with functions of 
increasing abstraction being in higher levels of the 
hierarchy. For example, an application may provide 
word processing capabilities using one of several 
different editor programs, each editor program 
being identified by name. At one level of abstraction, 



the function may be identified by the name of the 
editor program, and at a higher level of abstraction, 
the function may be identified by the group function 
Identification "editor". 
5 As described above, the executable image spe- 
cialist 25 is rule-based. Based on the function 
hierarchy noted above, the executable image spe- 
cialist provides several types of rules, each relating 
to a level in the function hierarchy. The rules are 
10 selected to identify combinations of conditions that 
may be present in the functions of the application, 
the running environment and requirements of an 
executable image which indicate security violation 
conditions. Fig. 8 depicts the structure of a typical 
15 rule in the executable image specialist 25. With 
reference to Fig. 8, the rule includes a premise, 
which has several parts. 

With respect to the rule depicted in Fig. 8, one part 
(identified by "A" in Fig. 8) of the rule is satisfied if 
20 the installed or authorized privilege under the 
applications program represented by the executable 
image has a privilege level PRIV.VAL having a 
selected value. A second part (identified by in 
Fig, 8) is satisfied if the applications program, as 
25 represented by the executable image, has a pre- 
determined function FUNC.VAL A third part (identi- 
fied by "C in Fig. 8) is satisfied if the applications 
program permits the user to have control over or 
may select, through the applications program, 
30 certain objects in the system, such as file names, 
directory names and so forth. If all of the rule's 
premises are satisfied, that is, if the executable 
image specialist 25 determines that all of parts A 
through C depicted in Fig. 8 are true, then the 
35 conclusion of the rule is that a security violation 
condition exists, and the executable image specialist 
25 records the identification of the condition 
VIOLVAL in the common working memory 16. 
It will be appreciated that the particular premises 
40 and parts thereof which are used in particular rules 
to identify the existence of security violation condi- 
tions will depend upon the particular computer 
system in which the executable image specialist 25 
is used. Generally, the premises may, for example, 
45 include the identification ot a function or functions 
which can be performed or called by the executable 
image. In addition, the premise may identify the 
environment of the executable image, including the 
privilege level. Further, the premise may include the 
50 security requirements of the application, for 
example, whether the application is captive or 
otherwise controlled. The premise may also include 
reference to how the program is to be controlled. 
The premises should be such as to identify 
55 conditions in which a user may, through an applica- 
tions program, create, modify, or delete files which 
are important to the operation of the operating 
system. Thus, one embodiment includes a rule which 
identifies a security violation condition if (A) the 
60 installed or authorized privilege permits bypassing of 
the protection code vector regulating access to files, 
(B) the applications program permits a user to read a 
file, and (CO the applications program permits a file 
name to be specified by a user, or it uses a logical 
65 name which may be modified by the user. This 
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condition results in the user having the ability to 
access any file including the system's user authori- 
zation file, which is undesirable. Other rules are also 
provided which protect the user authorization file 
from being deleted or modified by the applications 
program or by detached processes which the 
applications program may generate. 

(b) Program Code Specialist 26 

The program code specialist 26 will be described 
in connection with Fig. 9. As described above, the 
program code specialist 26 examines the source 
code of an applications program to determine 
whether relationships between control objects, 
which control the application program's access and 
resource availability, identified in the source code 
constitute a security violation condition. The pro- 
gram code specialist 26, like the executable image 
specialist 25, is rule based, with the rule premises 
identifying the control objects and relationships 
which are determined likely to constitute security 
violation conditions. 

Fig. 9 depicts a flow diagram illustrating the 
operations of the program code specialist 26. With 
reference to Fig. 9, the program code specialist 26 
first obtains the identification of an application 
program (step 110) and determines whether the 
source code for the application program is available 
(step 111). If not, the program code specialist 26 
exits (step 112), but if the source code is available, it 
performs a processing operation in connection with 
the source code to identify the control objects 
Identified therein (step 113) and the relationships 
among the identified control objects (step 114). 
Thereafter (step 115) the program code specialist 26 
processes the rules which it maintains to determine 
whether any security violation conditions exist, and, 
if so, records their identifications in the common 
working memory 16. 

(iv) Log-in Procedure Sub-Inspector 24 

The log-in procedure sub-inspector 24 will be 
described in connection with Fig, 10. Preliminarily, as 
in conventional, the computer system provides a 
log-in file which contains a series of log-in com- 
mands which are executed at the beginning of a user 
session. The log-in command procedure performs a 
number of functions, including definition of symbols, 
assignment of logical names, display of welcome, 
certain status and other messages, establishment of 
characteristics of the user's terminal, definition of 
terminal keys to perform certain predefined func- 
tions, and initiation of execution of an image of an 
applications program. 

A number of security problems can arise in 
connection with the log-in procedure, primarily 
relating to the desirability of preventing users from 
escaping to the supervisor level of the operating 
system, which would permit access to applications 
and other information stored throughout the com- 
puter system. One problem is that, since the 
procedure is stored in a file, unless access to the file 
is limited to the system operator, thus excluding 
access by users, it may be possible for a user to 
modify the file so as to permit escape. In addition, 



unless the commands in the log-in procedure are 
suitably selected It may be possible for a user to 
escape to the supervisor level by conventional 
escape keystroke procedure, in the event of a 
5 system error detected during execution of the log-in 
procedure, or in the event of certain other abnormal 
conditions. 

The log-in procedure sub-inspector 24 is proce- 
dure based and parses the commands in the log-in 

10 procedure file to detect a command which presents 
a security violation. The sequence of operations 
performed by log-in procedure sub-inspector 24 is 
depicted in Figs. 10A and 10B. With reference to 
Fig. 10A, the log-in procedure sub-inspector 24 first 

15 obtains from the operator the Identification of the 
log-in procedure on whose file it is to perform a 
security check operation (step 120), and retrieves 
the identified log-in procedure file (step 121). In 
addition, the log-in procedure sub-inspector 24 

20 retrieves the protection code vector associated with 
the log-in procedur file from the user authorization 
file to verify that only the system operator may 
modify the log-in procedure file (step 122). Jf the 
protection code vector indicates that others than the 

25 system operator may modify the log-in procedure 
file, a security violation exists, which is recorded in 
the common working memory 16. 

Following step 122, the log-in procedure sub-in- 
spector 24 begins parsing the log-in procedure file 

30 for other security violations. The log-in procedure 
sub-inspector 24 sequences to step 123 to deter- 
mined whether abnormal termination of the log-in 
procedure can be performed by entry by the user of 
an escape keystroke sequence. If such a termination 

35 can be performed, the user may be able to escape 
from the log-in procedure file to the supervisor level 
of the operating system. If escape keystroke 
sequence (step 124), the log-in procedure sub-in- 
spector 24 records existence of the security viol- 

40 ation condition in the common working memory 16 
(step 125). 

Following step 125, or step 124 if escape to the 
supervisor cannot be performed by entry of an 
escape keystroke sequence, the log-in procedure 

45 sub-inspector 24 sequences to step 126, in which it 
checks the commands in the log-in procedure file to 
determine whether abnormal termination of the 
log-in procedure, by means of, for example, detec- 
tion of a system error, will result in the escape to the 

50 supervisor level of the operating system. If so (step 
127), the log-in procedure sub-inspector 24 records 
the existence of the security violation conduction in 
the common working memory 16 (step 130). 
Following step 130, or step 127 if escape to the 

55 supervisor cannot be accomplished in the event of 
detection of a system error, the log-in procedure 
sub-inspector 24 sequences to step 131, in which it 
checks the commands in the log-in procedure file to 
determine whether escape to the supervisor level of 

60 the operating system can be effected by entry of 
keystrokes by the user during execution of a 
command, if so, the log-in procedure sub inspector 
24 records the existence of a security violation 
condition in the common working memory 16 (step 

65 132). 
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Following step 132, or step 131 if the log in 
procedure sub-inspector 24 determines that escape 
to the supervisor level cannot be accomplished by 
entry of keystrokes by a user during execution of a 
command, the log-in procedure sub-inspector 24 5 
sequences to step 133, in which it determines 
whether the log-in procedure file gives the user 
access to a text editor which would permit the user 
to read and write arbitrary files. Using such a text 
editor, the user could modify the log-in procedure 10 
file regardless of the condition of the protection 
code vector associated with the log-in procedure 
file. If the log-in procedure sub-inspector 24 deter- 
mines that the log-in procedure file gives the user 
access to such a text editor (step 134), the log-in 15 
procedure sub-inspector 24 records the existence 
of a security violation condition in the common 
working memory 16. The log-in procedure sub-in- 
spector 24 exits (step 136) following step 135, or 
step 134 if it determines in step 134 that the user is 20 
not given access to a text editor enabling him to read 
and write arbitrary files. 

The foregoing description has been limited to a 
specific embodiment of this invention. It will be 
apparent, however, that variations and modifications 25 
may be made to the invention, with the attainment of 
some or all of the advantages of the invention. There 
fore, it is the object of the appended claims to cover 
ail such variations andf modifications as come within 



the true spirit and scope of the invention. 



Claims 

1. A security system for use in connection 
with a computer system comprising: 

A. common memory means having a 
plurality of storage locations for storing 
information; 

B. a plurality of inspection means each 
performing a predetermined class of se- 
curity check operations in connection with 
said digital data processing system to 
identify the presence of security violation 
conditions, said inspection means storing 
indicia identifying the located security 
violation conditions in said common mem- 
ory means; and 

C. control means connected to all of said 
inspection means for controlling the oper- 
ation of each of said inspection means in 
response to a security test request from an 
operation and for performing a security 
evaluation operation in connection with 
indicia stored by said inspection means in 
said common memory means. 
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FIG. 4A 
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FIG. 6 
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